Gustuff Android Malware Targets 100+ Banking and 32 Cryptocurrency Apps

A previously unreported advanced banking trojan named Gustuff can steal funds from accounts at over 100 banks across the world and rob users of 32 cryptocurrency Android apps.

The threat sells for a monthly subscription of $800 and it was first spotted in April 2018. Its developer promotes it as an upgraded variant of AndyBot banking malware whose activity has been tracked since 2017.

Casting a wide net

The malware includes code to target top international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. It also searches for cryptocurrency wallet apps like Bitcoin Wallet, or from services BitPay, Cryptopay, Coinbase, and more.

Researchers at Group-IB security company specialized in preventing cyber attacks noticed that Gustuff's code lists apps from banks in the US (27), Poland (16), Australia (10), Germany (9), and India (8).

However, other types of apps also present interest: market places, online stores, payment systems, and messaging solutions.  Apps for PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut

Gustuff abuses Accessibility feature, can disable Google Protect

The malware relies on a relatively rare tactic to access and automatically change text fields in targeted apps. On compromised devices, Gustuff uses Android Accessibility services to interact with screens from other apps.

It is not the first threat to abuse this feature, which is intended to help people with disabilities use Android devices and apps. In this case, it serves a different purpose: bypassing protections against older generations of banking trojans as well as Google's security policy present in later versions of Android.

Group-IB says that one of the functions of the malware is to turn off Google Play Protect, the built-in anti-malware protection on Android.

Powered by machine learning algorithms, Google's default defense automatically scans the device to ensure that it benefits from the latest security measures.

Despite this, Gustuff's developer says that their code can successfully bring down Google's defense in 70% of the cases.

Built for massive spreading and utmost efficiency

Gustuff spreads to other mobile devices by reading the contact list of the compromised phone and sending out messages with a link to its APK installation file.

A database on the command and control (C2) server is also used to distribute the malware, the researchers note in a report published today.

The list of features available in the threat includes "sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings," says Group-IB.

Another functionality is to show the victim fake push notifications with icons from legitimate apps. One purpose is to steal account credentials by displaying a false login page downloaded from the attacker's server.

Another goal is to force the victim to log into the real account so that the malware can run its autofill routine on payment fields and initiate unauthorized transactions.

Gustuff is the work of a Russian-speaking cybercriminal, but its operations are mainly outside the country, something that is specific to all new Android trojans peddled on underground forums.

Following arrests of the owners of some of the largest Android botnets, Russia saw a significant drop in cyber-related thefts. As developers of trojans turned to other markets, "some hackers 'patch' (modify) the Trojan samples and reuse it in their attacks on users in Russia," says Rustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB.